Two Big Security Watch Outs You Need  To Know About For Meta

 

If you’ve been in the Meta advertising trenches lately, you’ve likely been focusing on navigating the rollout of the Andromeda engine and the constant push for Advantage+ automation.  So you may not be aware that Meta has also been quietly tightening the screws on security and account hygiene. We’re keen to highlight two specific “watch outs” which are currently causing some major headaches for business owners: the automated removal of inactive users and a sophisticated new “Partner Access” phishing scam. Here is what you need to know to ensure you don’t wake up to a “Business Account Restricted” notification.

  1. The Great Inactive User Purge

Meta has recently doubled down on its security hygiene by beginning to automatically remove users from Business Managers (now often managed through Meta Business Suite) who haven’t performed an action in a set period typically 90 to 180 days. While this sounds like good housekeeping, it’s creating a “lockout” nightmare for businesses that rely on a single admin or have former employees as their primary account holders. The Complications:

  • The “Orphaned” Business Manager: If your primary admin is removed for inactivity, the account can become “orphaned,” making it incredibly difficult to verify ownership or add new users.
  • Asset Breaks: When a user is removed, any assets tied specifically to their personal profile’s “link” (like a legacy Pixel or an Instagram account connection) can occasionally glitch, halting your tracking or ad delivery.
  • Review Deadlocks: Meta’s automated systems are tightening the rules and with the use of more AI to act as the review many advertisers are finding issues with their accounts and ending up in a review loop nightmare, unable to gain access to human support at metas end.

The Aligned Media Tip: Don’t let your Business Manager become a ghost town. Ensure you have at least two active Admins at all times. If you aren’t currently running ads, it’s a good idea to log in once a month just to “touch” the account and ensure your status remains active.

  1. The Latest Scam: The “Partner Access” Phishing Trap

Just as Meta tightens its own security, scammers have found a way to use those very security notifications against you. The latest phishing scam targeting Business Managers doesn’t look like a “Nigerian Prince” email; it looks like a system notification. How the Scam Works: You receive an email that looks very realistic at first and the scary thing with this one is it IS generated from within Meta as a legitimate partner request but You’ve received a partner request. Partners are other businesses you work with on Facebook. Partner sharing lets you give access to your business assets, but not to your business portfolio. This request is from:” The “Partner” often has a name designed to sound official, Ive seen a few different ones but it might be along the lines of::

  • “Meta Advertising Team”
  • “Business Support & Security”
  • “Ads Verification Department”
 
 

  

How the Scam Operates (there’s a couple of variants as of May 2026)

  1. Creation of Fake Business: Attackers create a new Meta Business account with a deceptive, official-sounding name like “Meta Agency Partner Program” or “Account Verification Support”.
  2. Abusing Official Channels: The attackers use Meta’s “Request Access” feature to target business owners, requesting partner-level access to the victim’s Facebook Page, Ad Account, or Pixel.
  3. Legitimate Email Alert: Meta’s system automatically generates an email from facebookmail.com or for example , alerting the owner of a “new partner request”.
  4. The Payload: The email often directs users to a button to “view request,” which leads to a compromised page or initiates a messenger chat.
  5. Credential & Asset Theft: Once the user clicks through, they are pressured into entering their credentials, providing ID, or granting “admin” partner permissions to the scammers, who then lock the original owner out and run malicious ads,
  1. Avoiding the Lockout: Your 2026 Security Checklist

To keep your Business Manager (and your sanity) intact, we recommend a quick 5-minute audit this week:

  • Check Your Admins: Go to Business Settings > People. Remove anyone who no longer works with you, and ensure you have at least two trusted, active admins.
  • Enable 2FA (No Excuses): Ensure every person with access has Two-Factor Authentication turned on. Meta is increasingly restricting accounts that don’t have this enabled across the board. We recommend using an Authenticator app as one of the safer options.
  • Verify Your Business: If you haven’t completed the Business Verification process already we suggest this as well. Verified businesses have a much higher success rate when appealing automated lockouts.
  • Question Every “Partner”: If a legitimate agency (like Aligned Media!) needs access, we will discuss and explain that with you  before providing you with our 15-digit Business ID. Never click “Approve” on a random request that appears in your notifications. Always check verbally and inside your Business Manager / Suite to ensure it is legitimate.

Need a Hand? Navigating Meta’s ever-changing landscape is a full-time job. If you’re worried your account setup is a “ticking time bomb” or you’ve accidentally clicked something you shouldn’t have, let’s chat. We provide Media Campaign and Platform Audits to ensure your data and your access are kept safe. 

Similar Posts